Organizations typically make use of a variety of data stores, each tailored to specific applications and use cases. As data spreads across different platforms, the challenge for Data Security Posture Management (DSPM) vendors is clear: how can they efficiently and securely identify and classify sensitive data across the widest range of environments without compromising performance or security?
The answer lies in flexibility and adaptability. In this post, we’ll dive into how Normalyze scans some of the most complex environments—cloud databases, volumes attached to virtual machines, and data stores protected by virtual private clouds—to ensure your data remains protected, wherever it is.
Snapshot-based scanning of cloud databases
SQL-based cloud databases like Amazon RDS, Azure SQL, and Google Cloud SQL present challenges for scanning and classifying sensitive data. Typically, DSPM vendors use authentication-based scanning, which requires access to the production database to authenticate and run queries. However, querying a production instance can have a significant performance impact, potentially disrupting operations.
Normalyze tackles this challenge with a frictionless approach: snapshot-based scanning. Instead of querying the live database, Normalyze mounts the database backup—a process that has no impact on performance or security and that requires no authentication details, which are time-consuming for security teams to obtain from operations or database teams. By running queries on the backup, Normalyze ensures that the live database remains untouched.
For added efficiency, Normalyze typically leverages pre-existing snapshots of the database, eliminating the need to create a new snapshot which can have storage and processing costs for a large database. There is of course a trade-off in that the snapshot is a point-in-time capture of the database state at the time the snapshot was taken. But for many situations, snapshot scanning produces results that accurately represent the security posture of the database. And customers always have the option of creating a new snapshot or aligning their scanning schedule to their snapshot schedule.
For additional flexibility, Normalyze supports the option of authentication-based scanning when preferred by the customer.
Scanning of volumes attached to virtual machines
Scanning volumes attached to virtual machines on cloud infrastructure is subject to the same challenges, except the data stored in virtual machines is typically much smaller, so most organizations are not concerned with the storage and processing costs of creating new snapshots for scanning.
Scanning of data stores protected by VPCs
Data stores housed within a Virtual Private Cloud (VPC) pose a different set of challenges. A VPC is a securely isolated section of a cloud provider’s network, offering control over network settings like firewall rules and security groups. However, the security measures that protect these data stores can also complicate the scanning process.
Many vendors adopt an extract and scan model, where the complete customer data is copied from the VPC-protected data store to the vendor’s environment for scanning. This approach introduces several issues, not the least of which is that the scanning vendor gains full control over the copied data, including when it is to be deleted and who has access to it. It also requires configuring a tunnel through the customer’s firewall so that the scanning vendor can access the private database, which slows down deployment and increases the potential attack surface. Additionally, this method incurs data transfer costs in copying the customer data as well as potential loss of data lineage information for the data being scanned.
Normalyze takes a different approach: in-place scanning. Instead of extracting data, Normalyze deploys a scanner within the customer’s account and sends only scan results back to Normalyze, ensuring that the original data remains secure and within the customer’s environment and control. If the VPC has centralized internet access, sending scan results to Normalyze is seamless with minimal configuration. If not, simple configurations can be made to ensure the scan results reach Normalyze securely.
This approach ensures that data stores protected by VPCs, whether running on AWS, Azure, or Google Cloud Platform, are scanned efficiently and securely without compromising on control or security.
A trusted, adaptable solution
With data environments becoming increasingly complex, Normalyze’s flexible, efficient, and secure scanning approach sets it apart. By prioritizing performance and minimizing impact, Normalyze ensures that organizations can confidently manage their data security posture across diverse platforms. Whether dealing with cloud databases, volumes attached to virtual machines, or data stores protected by VPCs, Normalyze offers a trusted, adaptable solution for security teams.
